A critical Oracle PeopleSoft flaw is already being exploited, putting more than 100 organizations on alert.
Oracle issued an emergency advisory for CVE-2026-35273, a vulnerability affecting PeopleSoft versions 8.61 and 8.62 that can allow unauthenticated remote code execution. Google Threat Intelligence Group and Mandiant researchers said the campaign targeted internet-exposed systems used by universities, businesses, and other large institutions.
The suspected link to ShinyHunters raises the stakes. For organizations running PeopleSoft, this is not just a patching issue. It is an incident-response clock already ticking.
Breakdown of the vulnerability
Researchers from both the Google Threat Intelligence Group and Mandiant say the campaign was observed between May 27 and June 9. Because this vulnerability was actively exploited for days before it was discovered, it is regarded as a zero-day vulnerability.
The campaign targeted Oracle PeopleSoft, an enterprise resource planning (ERP) tool used by organizations to manage activities such as payroll and HR. Attackers exploited the vulnerability on versions 8.61 and 8.62 of the Oracle PeopleSoft tool.
According to Oracle, successfully exploiting this vulnerability can lead to remote code execution (RCE) without authentication, potentially allowing attackers to gain control of vulnerable systems and the data within them.
On June 10, the company issued an emergency alert about the vulnerability now tracked as CVE-2026-35273 and published mitigation guidance for affected customers.
Scope of the breach
Although no one has claimed responsibility for the attacks, Google security researchers attribute the activity to the ShinyHunters hacking group. The group is known for targeting third-party vendors used by large organizations, stealing sensitive data, and then threatening to publish it unless victims pay a ransom.
The suspected involvement of ShinyHunters is notable given the group’s familiar techniques plus a recent attack on the education sector. In May, ShinyHunters claimed responsibility for the breach of Canvas, the widely used learning management platform deployed by schools and universities around the world.
That focus appears to carry over into the Oracle PeopleSoft campaign. According to Google, 68% of the exposed organizations identified during its investigation were in the education sector, suggesting universities and colleges were among the primary targets of the activity.
Google said it alerted more than 100 organizations whose PeopleSoft IP addresses matched vulnerable endpoints. While the full scope of the campaign remains under investigation, the findings indicate the attacks were neither isolated nor limited to a single industry.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
What should organizations using Oracle PeopleSoft do next
The vulnerability has a CVSS base score of 9.8, which falls under the critical tier. Also, given evidence of active exploitation before public disclosure, organizations running affected PeopleSoft deployments should assume they, too, are compromised.
Google recommends reviewing logs and investigating any suspicious activity occurring between late May and early June, the period during which researchers observed exploitation in the wild. Organizations should also look for signs of unauthorized access and persistence mechanisms that may have been deployed after an initial compromise.
Oracle has released mitigation guidance for CVE-2026-35273 and is urging all customers to apply the recommended security updates.
For affected organizations, applying Oracle’s mitigations should be only the first step. Security teams should also review activity from late May and early June, check for persistence, and treat exposed PeopleSoft systems as potential entry points until logs and indicators prove otherwise.
Also read: French officials are investigating a Tchap breach after an attacker claimed that 650,000 messages and 73,000 accounts were exposed via a hijacked account.